JP2003521063A - Method, system and product for restricting access to program files in shared library files - Google Patents

Abstract

(57) [Summary] The present invention provides a class loader (122) that creates a selective interface (210) between an external process (126) and a program file such as a class definition (200) in a shared library (124). ) To restrict access to portions of the shared software library (124). This prevents portions of the shared library (124) that are dedicated to the library or intended to remain inside the library from being loaded by the external process (126). The present invention loads a program file, such as a class definition (200), from a shared library (124) and generates an interface, such as an object (210), to the loaded program file (200). The determination of whether a program file can be exported is made based on a status indicator associated with the interface. If it is determined that the program cannot be exported, the interface will restrict access to the program file.

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD OF THE INVENTION

The present invention relates to a system for restricting access to parts of a shared software library, and more particularly to a system for using a class loader to restrict access to object class definition files in a shared library.

[0002]

[Prior art]

Software vendors typically ship their products as a set of shared libraries, such as libraries written in the Java ™ Object Oriented Programming Language and implemented as ordinary shared library files called JAR files. . Thus, the program files stored in these libraries can be easily and efficiently shared and used by any program module that is part of a vendor's product.

Shared libraries are often used to maintain class definitions when vendor products are written using object oriented programming.
In an object oriented programming environment, objects generally encapsulate data members and the functional members (or methods) that operate on those data members. An object is an instance of a class that defines various data members and methods shared by objects of the same class. Thus, shared libraries can be used to define each type of object used in a vendor's product.

[0004]

[Problems to be Solved by the Invention]

It is important that users have access to the parts of the shared library that are intended to be shared. This is how that content (commonly called a program file) is intended to be used in such a library configuration. However, not all of the content is intended to be used outside of a shared library. There are class definitions and objects that can be accessed by any code that uses shared libraries, even if they are intended to be used only within the library configuration. As a result, one of the problems faced by software vendors using shared libraries is limiting access to portions of the shared library that are not intended to be shared outside the library configuration. For example, a Java (TM) library packaged in a JAR file is declared public and therefore a Java (TM) package is intended to be used only within that library. Regardless, it can be accessed by any code that uses the Java ™ library.

In addition to the basic problem of having an external process through unauthorized access to these parts of the shared library, such problems can result in other problems. For example, namespace issues can arise when a portion of a shared library that is supposed to be used only inside the library is used externally. The software vendor that created the shared library may use a particular name or naming convention for parts of the shared library regardless of namespace collisions external to the shared library. However, if an external process accesses a package that is strictly intended to be internal to that library, the name for that package conflicts with the name of another package or object already used by the external process. there's a possibility that. In such situations, duplicate class definitions for a given package name can arise, which can be a problem as to how to resolve which feature is associated with the named package or object. There is a nature.

[0006] Sealing in the Java ™ programming language.
The introduction of g) has detected some examples of this problem and raised the error.
The situation is improved by making it possible. However, simply raising the error at runtime and requiring the end user to take appropriate action to fix the problem is not as desirable as leaving the problem's progression. Also, sealing will generally not help in critical cases where it is desired to ship an application or applet bundled with a particular version of an extension. If another version of the extension is already installed on the end user's computer, the installed one will take precedence over the bundled one.

Thus, while allowing access to certain parts of the shared library,
What is needed is a system that limits access to other parts of the shared library.

[0008]

[Means for Solving the Problems]

The method, system and product according to the present invention overcome the drawbacks of existing systems by using a class loader to restrict access to parts of a shared library such as JAR files. The class loader creates an interface between the external process trying to access the program files in the library and the files in the library itself. The method, system, and product according to the present invention as embodied and broadly described herein load program files from a shared software library. A program file is typically a class definition loaded by a class loader. Next, an interface to the loaded program file is created. The interface, which is preferably an interface object, has a status indicator as to whether the program file can be exported. This state indicator is preferably determined by executing a state method that is part of the preferred interface object, which state indicator determines whether the program file can be exported from a shared library. used. State methods are typically generated by reading an attribute in the shared library that indicates whether the program file can be exported. If the program file cannot be exported based on the status indicator, access to the program file is restricted. On the other hand, if the status indicator indicates that the program file is exportable, the program file is returned to the requesting process.

According to another feature of the invention, the methods, systems and products embodied and broadly described herein provide a system for restricting access to object class definitions in shared library files. Is shown. The system includes memory storage that maintains shared libraries and class loaders. The system also includes a processor connected to this memory storage device.
The processor operates to load an object class definition from a shared library on memory storage using a class loader. Once the proper object class definition location is located and loaded in the shared library,
The processor is further operative to instantiate the interface object in memory storage, typically by calling a package method in the class loader. This interface object is associated with the object class definition and contains state methods created in memory storage by the processor as part of the interface object.
This state method defines the ability to specify whether an object class definition is accessible by an external process executing on the processor. The processor also operates to call state methods to determine if the object class definition is designated as accessible by an external process. Finally, the processor can restrict access to the object class definition if the executed state method indicates that the object class definition is not designated as accessible by the external process.

According to yet another aspect of the invention, the methods, systems and products embodied and broadly described herein limit access to object class definitions in a shared software library. 3 illustrates a computer-readable medium containing instructions for: When the instruction is executed, the class loader is used to load the object class definition from the shared software library. An instance of the interface object associated with that object class definition is then created by the class loader along with the state methods associated with that interface object. Another method in the class loader is typically called to create an instance of the interface object. The state method indicates whether the object class definition is designated as accessible by the external process. The state method is called to determine if the object class definition has been designated as accessible by the external process. Finally, access to the object class definition is restricted if the state method indicates that the object class definition is not designated as accessible by the external process.

[0011]

DETAILED DESCRIPTION OF THE INVENTION

Embodiments of the invention are illustrated in the accompanying drawings, which are incorporated in and constitute a part of this specification. The advantages and principles of the invention will be apparent from the drawings and description. Hereinafter, one embodiment according to the present invention shown in the accompanying drawings will be described in detail. Wherever possible, the same reference numbers are used consistently in the drawings and the following description to refer to the same or like parts.

INTRODUCTION In general, the method and system according to the present invention, in the Java ™ programming language, uses a class loader to limit the parts of a shared library that can be accessed by external processes. Handles the invocation while a process like a written applet is running. By doing so, the parts of the shared library intended to be restricted to internal use cannot be accessed and used by external processes.

More specifically, a request for a program file (such as a class definition) is received by a class loader from a running process (such as an applet) outside of a shared library. In response to receiving the request, the class loader loads the appropriate program file from the shared library and generates an interface (such as an interface object) to the loaded program file. The interface has a status indicator (such as a status method) that indicates whether the program file can be exported to an external process. Based on the value of the status indicator, access to the loaded program file is restricted by the generated interface to that program file. If access to the program file is restricted, running processes are denied access to the program file. Otherwise, the running process receives access to the program file via the interface. In this way, the class loader is used not only to properly load the appropriate class definitions, but also to provide the ability to restrict access to parts of the shared library that are intended to be accessed only internally. To be done.

Computer Architecture FIG. 1 shows an exemplary data processing system 100 suitable for implementing the method according to the invention and configuring a system according to the invention. Referring to FIG. 1, a data processing system 100 includes a computer system 110 connected to a network 170 such as a local area network, a wide area network or the Internet.

The computer system 110 includes a memory storage device called a main storage device 120,
It includes an auxiliary storage device 130, a central processing unit (CPU) 140, an input device 150, and a video display device 160, each of which is electronically connected to another portion of computer system 110. In the exemplary form in accordance with the invention, computer system 110 is configured using the SPARC ™ computer architecture. A more detailed description of the SPARC ™ computer architecture is available from SPARC International, Inc. of Metropark, Calif., Which is hereby incorporated by reference.
It is described in several documents including the trade name) V9 reference manual.

In the computer system 110, the main storage device 120 includes an operating system 128, a virtual machine (VM) 126, a class loader 122, and a shared library 124. VM illustrated for this description
126 is a Java ™ virtual machine (JVM), which is part of the Java ™ runtime environment included in the Java ™ Software Development Kit (JDK). The JDK is available from Sun Microsystems, Inc. of Palo Alto, CA. Generally, a JVM receives instructions from a program (such as an applet) in the form of bytecode and acts like an abstract computing machine. Bytecode is essentially a compiled format for a general purpose program, such as a program written in the Java ™ programming language. When instructions or bytecodes are received, the JVM interprets these bytecodes by dynamically converting these bytecodes into a form for execution such as object code and executing them.

This execution scheme for applet-like program modules written in the Java ™ programming language facilitates the platform-independent nature of the JVM. More details on the JVM can be found in the document referenced herein (Lindholm and Yellin, “The Java Virtual Machine Specifica.
tion ", Addison-Wesley, 1997).

During execution of the program module, the VM 126 will have a symbolic reference to the object class that must be loaded.
e) may be encountered. In this situation, VM126 typically
Delegate the task of loading the appropriate program files to the class loader. Class loaders are known in the art and are typically used when an interpreter requests an object class definition that has never been loaded. Basically, the class loader loads the object class definition from the particular storage location (remote server or local memory file) where the object class definition is maintained. A more detailed description of a conventional class loader is assigned to Sun Microsystems, Inc., Mountain View, Calif.
FOR RESOLVING SYMBOLIC REFERENCES TO EXTERNALLY LOCATED PROGRAM FILES ”
)It is described in.

The exemplary class loader 122 is a regular class loader with some additional features added that allow it to act as a selective interface mechanism to parts of a shared library, such as shared library 124. is there. In particular, the class loader 122 can generate an interface to the program files in the shared library 124. The interface also has a status indicator that determines whether those program files are exported to or accessible by the external process. This ability to load the appropriate class definition from the correct location and act as an interface allows the class loader 22 to restrict access to program files, such as object class definitions, in a shared library.

For example, an external process (such as an applet that runs in conjunction with VM 126) needs to load a particular class definition because it is not already loaded into main memory. If the class definition is intended to be exported to an external process, you just need to load the class definition. However, if the class definition is not intended to be accessible by an external process, another step of restricting access to the class definition is needed. The class loader 122 receives the request and loads the requested class definition from within the shared library 124. In this example, the library 124 is constructed as a regular JAR file that maintains the definition of many classes of Java packages or objects. at this point,
The class loader 122 creates an interface object, also called a package object, which encapsulates the requested class definition and contains state methods as state indicators. If the requested class definition is specified as accessible from the outside, the result of executing the state method is a preselected value such as "true". In the following, a more detailed description will be given with respect to FIG.

Furthermore, although the arrangement according to the invention is described as being implemented with a JVM, it is also possible that the system and method according to the invention may also be implemented in an environment other than a Java ™ environment. Will be recognized by the vendor. For example, a request for a program file (such as a class definition) in a shared library can be made by the operating system 12 without requiring the VM 126.
8 may be performed from a multithreaded application program module (not shown) that runs with.

In addition, all or part of the system and method according to the present invention may include auxiliary storage such as hard disks, floppy disks and CD-ROMs,
Carrier wave received from the Internet, or another form of ROM or RAM
It will be appreciated by those skilled in the art that it may be stored on or read from another computer readable medium such as. Finally, although specific components of data processing system 100 have been described, those skilled in the art
It will be appreciated that additional or different components such as multiprocessors and various input / output devices may be included in data processing system 100 suitable for use with the exemplary embodiments.

Access Restriction System FIG. 2 illustrates how an exemplary class loader is used to restrict access to files in an exemplary shared library according to one embodiment of the invention. 3 is a more detailed block diagram showing FIG. Referring to FIGS. 1 and 2, V
M126, class loader 122 and shared library 124 are shown as blocks of interacting software. Within VM 126 is an applet 205 containing instructions or bytecode that is interpreted and executed by this VM 126. During execution of bytecode from applet 205, VM 126 needs to load a specific object class definition. This is because the bytecode lists the objects defined by that particular object class that have not yet been loaded into main memory 120 from shared library 124. The VM 126 uses the class loader 12 to load the appropriate object class definition for that bytecode.
Use 2 or delegate to it to find the correct object class definition. In this way, the class loader 122 uses V to define the object class.
Receive request from M126.

In response to the request, class loader 122 determines the appropriate object class definition to load. In the exemplary embodiment shown in FIG. 2, the appropriate object class definitions are located in a shared library 124 that maintains various program files such as class definitions 200, 202 and 204. In the example shown in FIG. 2, the class loader 122 determines that the object class definition 200 is a proper definition and retrieves the object class definition from the shared library 124. Up to this point, this is typically done by most normal class loaders.

In addition to the standard class loading functionality described above, the class loader 122 includes methods that create an interface to object class definitions. In the exemplary embodiment, method 220 is get. It is called a package. g
et The package method 220, when called, instantiates an object 210 (called an interface object or package object) that encapsulates the object class definition 200. ge
t The package method 220 also creates a method 215 (commonly called a state method) as part of creating the interface object 210, which specifies that the object class definition is accessible to external processes. Indicates whether or not Typically the class loader 122
The method 220 in searches in the shared library 124 for an indicator or another type of flag type mechanism that indicates whether the desired object class definition can be exported. In an exemplary embodiment, g
et The package method 220 reads the attribute 208 in the manifest or header 206 of the shared library 124. Manifest 206 is a shared library 124
Maintains information about the content within (ie, program files). As part of manifest 206, attribute 208 is preferably a list of files in shared library 124 designated as exported to or accessible by the external process.

Get based on attribute 208 The package method 220 defines a state method 215 in the interface object 210 to supply or return an appropriate value when executed. For example, the object class definition
State method 215 if 200 is not accessible by an external process
(In the exemplary embodiment, "is called "exported" returns a "false" value when it is called. In this way the class loader 122 indicates that the program file is not exported by the status indicator (state method 215). ), And find and load the correct program file (such as applet 205).

In a more detailed embodiment where shared library 124 is a JAR file, the JAR file provides the ability to declare one or more of its packages to be exported. The classes and resources contained within the exported package are visible to another JAR file. Packages that are not exported are called private and their classes and resources are visible only within that JAR file. Also, private classes and resources are of local scope, and the definition in the JAR file may be visible when the class / resource name must be resolved in code from this JAR file. It is meant to take precedence over any other class / resource of the same name.

In this detailed embodiment, the exported package is Expo
rted: (true | false) Declared by manifest attribute 208 per new entry. This boolean attribute indicates whether the particular package should be exported. For example, the following manifest entry: Name: javax / foo / Export: true, the package javax. foo will be exported.

This attribute can be applied to individual class or resource files as well as packages and directories. In this embodiment, when a package or directory is exported, it contains the class /
All of the resources are exported automatically unless they are explicitly dedicated by having their own export: false attribute. However, packages / directories are usually not automatically exported if they contain subpackages / subdirectories.

In one exemplary embodiment, the default is typically the specified Ex
This is done for all packages / directories and classes / resources that should be exported if there are no ported attributes. At least one Exp
If the orted attribute is specified, the default is that each and every one is dedicated unless it is declared to be exported.

The JAR tool in the Java ™ programming language has a -e option that allows the export file to be specified. this is,
It is convenient for software developers so that they can list exports concisely rather than having to generate the appropriate manifest files. The format of the export file is preferably a sequence of package names and JAR file entries, each package name and JAR file entry being terminated by a new line. For example, the following export file using the -e option: foo. bar foo. baz / images / foo. gif / foo. Specifying the properties can be done with the usual -m option in the following manifest file:

[Equation 1] Is the same as specifying.

The -e and -m options can be used together, in which case the manifests are combined. In the combination of manifests, the Exported attribute generated from the -e option has priority. That is, E from another manifest
The export file always lists the complete set of exports because any of the xported attributes are ignored.

In one exemplary embodiment, the class java.net.URLClassLoader is used as the class loader 122 to load classes and resources from the JAR file's class path and directory URL. As shown in FIG. 2, this embodiment basically wraps each JAR file on the classpath that declares one or more exported packages in its manifest.
) For creating a small class loader. This class loader is Jar Cl
It is preferably called an ass Loader, which becomes a private class whose purpose is to allow any code loaded from a shared library 124 (eg, JAR file) to access its own private class and resources, On the other hand, keep them hidden from other JAR files on the classpath.

[0034]    The following is an example configuration of the Jar Class Loader written in pseudo code:

[Equation 2]

[Equation 3]

[Equation 4]

[Equation 5]

In connection with the pseudo code of the example above, the URL Class Loader will use JarCla for each JAR file on the classpath that declares one or more exported packages.
Will create a new instance of ssLoader. The surrogate parent to the Jar Class Loader is the URL Cl generated for the classpath containing the JAR file.
An instance of ass Loader. The Jar Class Loader's load Class method will be called whenever code loaded from a JAR file is linked.

First, find Lo to check if the class has already been loaded.
aded Class () is called. Then, if the class is included in this JAR file but not declared to be exported, JAR the class.
An attempt is made to load from a file. If this fails, the parent URL Class Loader's loaded Class () method is called to check the public class. This allows private classes to have local scope while maintaining normal scope for public classes.

The URL Class Loader calls the Jar Class Loader's load Exported Class method to load the class if it checks this JAR file for a class referenced by another JAR file on the classpath. Will call. This method is similar to the Load Class method, except that it does not check the surrogate parent and it only loads the class from the JAR file where it was declared to be exported. This prevents the private class from being loaded by another JAR file on that classpath.

Access Restriction Process With reference to the flowchart of FIG. 3 below, steps of an exemplary method according to the present invention for restricting access to program files such as object class definitions in a shared library using a class loader. Will be described in more detail. With reference to FIGS. 1-3, the method 300 starts at step 305, which is step 305.
At, the external process delegates to the class loader to load the requested class definition. In the exemplary embodiment, applet 205 has bytecodes that are interpreted by VM 126, and thus VM 126 is responsible for loading the appropriate object class definitions needed to interpret the bytecodes. Call the loader 122.

In step 310, the appropriate class definition is located and loaded. In the exemplary embodiment, class definition 200 is determined by class loader 122 to be a suitable class definition to retrieve from shared library 124.

In step 315, the method that causes the interface to the loaded class definition is called. In general, the interface can be any type of program interface or programming structure that can selectively access another file or information. In the exemplary embodiment, get is used to create an instance of interface object 210 as an interface. The package method 220 is called. get When the package method 220 executes, step 330
At 208, the attribute 208 in the shared library 124 is read and its interface determines if the requested program file in the shared library 124, such as the class definition 200, is accessible.

In step 325, an instance of the interface (eg, interface object 210) is created for the class definition 200. As part of creating the interface object 210, a state method is created in step 330 in response to the attribute 208 in the shared library 124. The state method is used to determine whether the class definition is designated as accessible to an external process according to attribute 208. In the exemplary embodiment,
The state method is is in the interface object 210. exported
Configured as method 215. Runtime, is exported method 215
Generally acts as a status indicator that indicates whether class definition 200 is accessible by an external process such as applet 205. Therefore, if the class definition 200 is inferred to be accessible to external processes, e
The xported method 215 returns a "true" export indicator.

In step 335, the state method is called, which in step 340 is the class definition, or, generally speaking, the interface object 210.
Determines if a program file encapsulated by can be exported. If the export indicator indicates that the class definition is exportable, then step 340 proceeds to step 345, where the class definition is returned by the class loader 122 to the requesting process (eg, VM 126 interpreting applet 205). Be done. Otherwise, step
340 goes directly to step 350, where access to the class definition is restricted and the class definition is not returned to the requesting process. Instead, the class loader 122 throws an error condition that attempts to access an inaccessible file, and an exception indicating that the requested class definition was not found.

Conclusion The method and system according to the invention described above limits access to parts of the shared library 124, such as program files, or in particular to object class definitions. These methods and systems use the class loader 122 to load object class definitions from the shared library 124 and generate an Internet object 210-like interface to the loaded class definitions 200 of the shared library 124. As part of the interface, state methods are generated depending on the value of attribute 208 in shared library 124. Invoking the state method returns an export indicator that indicates whether the encapsulated class definition in the interface is designated as accessible by an external process, such as applet 205. If the class definition is intended to be used only internally by the shared library and not by an external process, the state method indicates so and the class loader 122
Restrict access to that part of shared library 124.

The foregoing description of the configuration of the present invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the form disclosed. Modifications and variations are possible in light of the above teachings and may be made in the practice of the invention. For example, although the forms described include software, the invention may be implemented as a combination of hardware and software, or solely in hardware. The system according to the invention is also adaptable for executing programs written in all computer programming languages, including the Java ™ programming language, Smalltalk-80 and C ++.

Furthermore, those skilled in the art will recognize that although the present invention has been described with respect to object oriented systems, it can be implemented with non object oriented programming systems as well. The technical scope of the present invention is defined by the claims and their equivalents.

[Brief description of drawings]

FIG. 1 is a block diagram of a data processing system suitable for use with the methods and systems of the present invention.

FIG. 2 is a block diagram illustrating how a class loader can be used to restrict access to files in a shared library according to one embodiment of the invention.

FIG. 3 is a flowchart showing exemplary steps performed by a class loader to restrict access to files in a shared library according to one embodiment of the invention.

[Procedure for Amendment] Submission for translation of Article 34 Amendment of Patent Cooperation Treaty

[Submission date] December 18, 2001 (2001.12.18)

[Procedure Amendment 1]

[Document name to be amended] Statement

[Name of item to be amended] Claims

[Correction method] Change

[Contents of correction]

[Claims]

─────────────────────────────────────────────────── ─── Continued front page    (81) Designated countries EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, I T, LU, MC, NL, PT, SE, TR), OA (BF , BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, G M, KE, LS, MW, MZ, SD, SL, SZ, TZ , UG, ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, B Z, CA, CH, CN, CR, CU, CZ, DE, DK , DM, DZ, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, J P, KE, KG, KP, KR, KZ, LC, LK, LR , LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, MZ, NO, NZ, PL, PT, R O, RU, SD, SE, SG, SI, SK, SL, TJ , TM, TR, TT, TZ, UA, UG, UZ, VN, YU, ZA, ZW (72) Inventor Lian, Shen             California, United States             94041 Mountain View, number 23,             Calderon Avenue 210 (72) Inventor Benjamin, Renaud             California, United States             94114 San Francisco, Nine Tea             St. Street 3970 F-term (reference) 5B076 AB04 AB10

Claims (19)

[Claims] 1. A method for restricting access to a program file in a shared library, wherein the program file is loaded from the shared library and an interface for the loaded program file is generated, the interface being exported. Has a status indicator as to whether the program file is exportable, and based on the status indicator, determines whether the program file is exportable, and if the program file is not exportable, the program file A method including the step of restricting access to. 2. The method of claim 1, further comprising returning the program file if the program file is exportable. 3. The method of claim 1, further comprising receiving a request for a program file, the loading step further comprising loading the program file in response to receiving the request. 4. The method of claim 1, wherein the loading step further comprises loading the class definition as a program file using a class loader. 5. The generating step generates an interface object encapsulating the class definition as an interface and generates a state method in the interface object, the state method providing a state indicator when it is executed. The method of claim 4, further comprising the step of: 6. The method of claim 4, wherein the step of generating further comprises the step of reading an attribute in the shared library, the attribute indicating whether the class definition can be exported. 7. The step of determining further comprises the step of calling a state method to provide the export indicator as a state indicator, the export indicator indicating whether the class definition can be exported. The method described. 8. A method for limiting access in a computer-readable medium containing instructions for controlling a data processing system to perform the method for limiting access to an object class definition in a shared library. , Loads the object class definition from the shared library using the class loader, instantiates the interface object associated with the object class definition, and indicates whether the object class definition is designated as accessible by an external process Creates a state method associated with the interface object and calls the state method to determine if the object class definition is designated as accessible by an external process, If it is not specified as is accessible is indicated by the state method by Department process, computer-readable medium, including the step of limiting access to object class definitions. 9. The computer-readable medium of claim 8, further comprising returning the object class definition only if the status method indicates that the object class definition is designated as accessible by an external process. . 10. The computer-readable medium of claim 8, further comprising receiving and loading a request for an object class definition, further comprising loading the object class definition in response to receiving the request. 11. The computer-readable medium of claim 8, wherein the step of instantiating the interface object further comprises the step of calling a package method in the class loader to instantiate the interface object. 12. The step of generating a state method calls a package method to read an attribute in a shared library, the attribute indicating whether the object class definition is designated as accessible by an external process. The computer-readable medium of claim 11, further comprising the step of directing and generating a state method as part of the attribute-based interface object. 13. The computer readable of claim 12, wherein invoking the state method further comprises invoking the state method to provide an export indicator that indicates whether the class definition can be exported. Medium. 14. A computer system for restricting access to an object class definition in a shared library file, comprising: a memory storage device maintaining a shared library file and a class loader; and a processor connected to the memory storage device. The processor uses a class loader to load an object class definition from a shared library on memory storage and instantiates an interface object in the memory storage, the interface object being associated with the object class definition. In the memory storage device, a state method is generated as a part of the interface object, and the state method is defined by an external process executing on the processor. Defines the ability to specify accessibility and calls state methods to determine if an object class definition is designated as accessible by an external process, and the object class definition is accessible by the external process. A computer system that operates to restrict access to an object class definition if the status method indicates that it is not specified as. 15. The processor further enables access to the object class definition by the interface object only if the state method indicates that the object class definition is designated as accessible by an external process. 15. The computer system of claim 14, which operates as follows. 16. The processor is further operative to receive a request for an object class definition from an external process executing on the processor, the loading step further comprising loading the object class definition in response to receiving the request. 15. The computer system according to claim 14, wherein 17. The computer system of claim 14, wherein the processor is further operative to call a package method in the class loader to instantiate the interface object in memory storage. 18. The processor further operates to call a package method to read an attribute in the shared library, the attribute indicating whether the object class definition is designated as accessible to an external process. The computer system of claim 14, further operative to generate a state method in the memory storage device as part of the interface object based on the attribute. 19. The computer system of claim 18, wherein the processor is further operative to call a state method to provide an export indicator that indicates whether the class definition can be exported.